Security – Stay N Alive

Why Changing Your LinkedIn Password Is Not Enough

The news is spreading today that LinkedIn’s database was hacked, and millions of users accounts have been compromised. I keep hearing over and over again to “change your password.” That’s smart. I changed mine this morning. Something that people aren’t saying though is that your other social networking accounts could be at risk as well thanks to LinkedIn’s poor security policies. Here’s why:

If you’re one of the majority of people that use your password on more than one social network (yes, I’m looking at you, because you’re likely one of them – there are even security professionals that make this mistake), the first thing I would do as a hacker once I decrypted the digested passwords obtained is not target your LinkedIn account. Instead, I’d start going through Facebook, Twitter, and even Google and start trying it there where I could do more damage.

Is it the same as your Gmail account? Sweet! I get some LOLz on your behalf, and I can now start making password requests, without your knowledge, to all of your other accounts. Now I can post to the Google+ Pages you manage. I can post to the Facebook Pages you manage. See where I’m getting?

If you were using the same password on LinkedIn as anywhere else important on the web, you need to go now and change your password there as well. Here are some quick tips as you do so:

  • Make it more than just a word and numbers. Make it a sentence, preferably with letters, spaces, numbers, and even non-alphanumeric numbers (like $ and * and others).
  • Keep it at least 10 characters long – if you take my above recommendation, that should be easy because sentences are easy to remember.
  • Use a different password for each social network. You could use a similar password, but add a different set of numbers or words to the end to help you remember which is which. Figure out a system that works for you and that you can remember.
  • If you can, rotate your passwords every so often. Change the numbers or words added to the end. Add a character or two. It’s up to you. That will prevent this from being a problem in the future.

These tips should keep you safe, and they really aren’t very difficult to do. You just have to build a system, and do it!

This article was shared first on Google+.

Please Do Twitter a Favor and Join SocialToo

Today we announced on the SocialToo blog that we’ve enabled our phishing protection for all 60,000+ SocialToo users (and many, many more to come). This project means a lot to me, as it means the more people that use it, the fewer phishing DMs will be received, links won’t be clicked, passwords won’t be shared, and accounts won’t be compromised. The more I can help prevent this from happening, I think the better for the web in general.

In total, SocialToo has blocked near 200,000 total spam DMs sent to our users, and over 25,000 of those were malicious, phishing, and trapped automatically by our filters. 5,000 of those were just since enabling it on all accounts. That’s 25,000 dms that could have been collecting your Twitter credentials, could have compromised your account, and could have spread further by compromising your account. This service is powerful.

The service gets enabled automatically for any user that just logs in with their Twitter credentials at Of course, I’d love it if you tried our other features, set up some filters, maybe tracked who followed you and stopped following you the previous day on Twitter, but more than anything I want you to help the web in general by eradicating these pesky dms! Each dm we detect gets deleted from your Twitter account, often before you can see it in your favorite Twitter client, doesn’t get sent in our DM e-mails (found on your Filters page), and a message is sent on your behalf to @spam also notifying Twitter of the compromised account.

Please, if you haven’t had reason to join SocialToo yet, now is the time. This is your opportunity to, just by logging in, help make Twitter a cleaner place. Be sure to check out Louis Gray’s experience with this service on his blog – I think he too has had similar experience in seeing the success of having this enabled.

Oh, and stay tuned, other than this and our new design launch, we’ve got some more really big news coming tomorrow that I think you’re going to really like.

Image courtesy

Potential FriendFeed Hole Allows Users to Embed Web Bugs

friendfeed-logo.jpgI have discovered a feature (or perhaps vulnerability?) of FriendFeed that, intended or not, could enable marketers to track every single view of their RSS posts to FriendFeed.  The feature revolves around the ability to embed images, via a subset of RSS called MediaRSS, into your RSS feed.  If your RSS is MediaRSS formatted, FriendFeed automatically reads the images in the feed and displays the first one as the main image in the post to your feed on  Here’s the problem though (or maybe it’s a feature?) – FriendFeed stores the original URL to the image as the main image URL.  They don’t re-format it at all or store it on their servers.  This means you can dynamically produce anything you want on, set cookies, store IP information, etc. without the user ever knowing about it.

Screen shot 2009-12-15 at 1.25.22 PM

I discovered this hole due to an annoyance I had with my TweetMeme button always showing up as the image in my posts to FriendFeed.  I noticed that the number of retweets was dynamically updating, right on FriendFeed.  Sure enough, looking at the source of the image, the image was being generated from TweetMeme’s servers, not FriendFeed’s.

Such Web Bugs are common throughout the web, especially in advertising and other marketing-based mediums, so the threat isn’t huge.  However, this may be something the FriendFeed team may want to look at if they don’t want marketers to be getting information about their users off the site itself.  If anything, I’d like to see them just ignore 3rd-party image URLs altogether and maybe my pesky TweetMeme icon will stop showing up as the image on my posts to FriendFeed.  Is this a feature or a “bug”?

Googling, here’s some more information I found about “Web Bugs”:

Make the Most of Facebook With Fox 13’s New Series

facebook-pic.pngA few weeks back I was interviewed by our Local Fox station, Fox 13 KSTU about Facebook.  I was interviewed by Arikka Von, Katy Carlyle, Nicole Hunter, and Nineveh Dinha about topics such as why you should join Facebook, Facebook Privacy, Security, and even Strategy on Facebook.  The series ran all last week (now all my neighbors are wanting me to give them a class on Facebook), and I think serve as a great resource for anyone wanting to learn the basics of what Facebook can do for them.

For those wondering when I’m on Facebook–Now What??? will get a new edition, rest assured Jason (my co-author) and I are definitely talking about that, and hopefully sooner than later we will be able to begin working on that.  We also have something else in the works (again if I can just get time to get my part done) that I think will hold you through in the meantime.  Until we get any of that together, these videos by Fox 13 Utah serve as a great resource.  Thanks a lot to the entire Fox 13 team for giving me the opportunity to share!  I especially like the one showing you how to set your Facebook Privacy settings. Nineveh’s strategy segment was also very useful I thought (If you’re going to be running against Senator Bob Bennett this election, call me – I’d love to help you out!):

Facebook Fundamentals

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas1″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3698561&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn908divWNVideoCanvas908&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas2″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3698560&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn908divWNVideoCanvas908&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

Facebook Etiquette

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas3″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3703265&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn908divWNVideoCanvas908&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas4″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3703262&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn908divWNVideoCanvas908&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

Facebook Security and Privacy

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas5″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3707792&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn908divWNVideoCanvas908&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas6″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3707884&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn908divWNVideoCanvas908&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

Facebook Strategy

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas7″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3712354&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn689divWNVideoCanvas689&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

[swfobj id=”WNVideoCanvasDEFAULTdivWNVideoCanvas8″ width=”320″ height=”255″ src=”” type=”application/x-shockwave-flash” wmode=”windowless” width=”320″ height=”255″ allowFullScreen=”true” FlashVars=”isShowIcon=true&affiliate=KSTU&affiliateNumber=855&backgroundAlphas=100,100,100,100&backgroundColors=eeeeee,eeeeee,eeeeee,eeeeee&backgroundRatios=0,25,130,255&backgroundRotation=270&borderAlpha=100&borderColor=aaaaaa&borderWidth=1&clipId=3712321&playerType=STANDARD_EMBEDDEDobject&closecaptionPaneLabelText=&closePaneLabelText=&commercialHeadlinePrefix=Commercial&controlsBackgroundAlphas=100,100&controlsBackgroundColors=eeeeee,eeeeee&controlsBackgroundRatios=0,255&controlsBackgroundRotation=270&controlsBorderColor=212121&controlsBottomPadding=8&controlsButtonLeftBorderColor=c7c7c7&controlsButtonRightBorderColor=656464&controlsHeight=40&controlsOffFaceColor=828282&controlsOverFaceColor=454444&controlsSidePadding=8&defaultStyle=flatlight&disableTransport=false&domId=WNVideoCanvaswn689divWNVideoCanvas689&emailErrorBorderColor=ae1a01&emailErrorMessageFaceColor=ae1a01&emailFormFieldAlphas=80&emailFormFieldColors=dddee0&emailFormFieldRatios=0&emailFormFieldRotation=90&emailInputFaceColor=454444&emailMessageLabelText=&emailPaneLabelText=&emailSentConfirmationMessage=&errorMessage=&fullScreenControlType=none&hasBevel=false&hasBorder=true&hasBottomBorder=true&hasFullScreen=true&hasLeftBorder=true&hasRightBorder=true&hasTopBorder=true&helpPage=,100&tabBackgroundColors=e6e6e6,e6e6e6&tabBackgroundOverAlphas=100,100&tabBackgroundOverColors=eeeeee,eeeeee&tabBackgroundOverRatios=0,100&tabBackgroundRatios=75,255&tabBackgroundRotation=90&tabBackgroundSelectedAlphas=100&tabBackgroundSelectedBorderAlpha=100&tabBackgroundSelectedBorderColor=aaaaaa&tabBackgroundSelectedBorderWidth=1&tabBackgroundSelectedColors=eeeeee&tabBackgroundSelectedHasBevel=false&tabBackgroundSelectedHasBorder=true&tabBackgroundSelectedHasDropShadow=false&tabBackgroundSelectedRatios=0&tabBorderAlpha=100&tabBorderColor=aaaaaa&tabBorderWidth=1&tabFontSize=10&tabHasBevel=false&tabHasBorder=true&tabHasDropShadow=false&tabHeight=26&tabLeftBorderColor=e5e5e5&tabOffFaceColor=828282&tabOverBorderAlpha=100&tabOverBorderWidth=1&tabOverFaceColor=454444&tabOverHasBevel=false&tabOverHasBorder=true&tabRightBorderColor=868686&tabShadowColor=333333&topPadding=3&videoSliderBackgroundColor=cccccc&videoSliderKnobBackgroundAlphas=100,100&videoSliderKnobBackgroundColors=cccccc,cccccc&videoSliderKnobBackgroundRatios=0,255&videoSliderKnobBackgroundRotation=90&videoSliderKnobBorderColor=959495&videoSliderKnobOffFaceColor=444444&videoSliderKnobOverFaceColor=212121&videoSliderKnobShadowColor=5a5a5a&videoSliderLoadIndicatorColor=828282&videoSliderProgressIndicatorColor=454444&volumeSliderOffColor=cccccc&volumeSliderOverColor=828282&”]

Is Facebook Testing Popups?

Today I was visiting a friend’s Facebook Group, when out of nowhere a popup appeared, asking me to take a survey. Being on a Mac, I’m pretty sure it wasn’t spyware or a virus. I checked the other sites I was on and none seemed to be the type to do this, and Facebook was the last site I had any activity on. The ad popped up right as I entered the particular Facebook group. I’ve contacted Facebook and am awaiting clarification on this. Is Facebook testing popups amongst its users? Could this be from one of their ad partners? Has anyone else seen this? Here’s the ad:
Facebook Popups

The First Twitter Worm Surfaces – Plain Passwords to Blame?

Back in March, I reported the occurance of a new worm on Facebook, which surfaced due to a phishing scam, and took over users’ profiles.  It would appear that a similar scam is surfacing on Twitter as we speak.  The scam comes in the form of a direct message to a user’s followers, stating “hey! check out this funny blog about you…”, followed by a URL.  When you click on the URL it takes you to a phished version of Twitter, looking exactly like the original Twitter site, which collects your username and password.  I’ve received about 5 of these just in the past hour so it is spreading rampantly. Twitter just reported the incident here.

Asking those that have sent the message, it would appear most of them filled out the form thinking they were logging into Twitter, so it is most likely one person that sent such a message to all their followers, starting the domino effect of spam and password collection.  This begs the question, though, which I’ve brought up multiple times in the forums and Chris Messina blogged about today on the urgency of Twitter requiring OAuth or similar Key-based authentication in the API.  It would take any application, similar to Twtply, to be sold to a spammer, full of usernames and passwords to set off such a worm.  Essentially, any application which collects your username and password right now has the potential to turn its users into Twitter zombie accounts, similar to this worm spreading currently, spreading false information, collecting bank account information, or you name the possibility.

I hope Twitter has this as their number one priority currently – stopping this worm is important, but implementing some sort of key-based authentication such as OAuth should be the next thing on Twitter’s mind, and in my opinion, that should occur even before the new API push they are getting ready to launch.  Twitter – it sounds like you need a patch applied to your service!

Could Pandora be Leaking User E-mail Addresses to 3rd Parties?

UPDATE: See the comments below. Pandora’s CTO responded with the following explanation – while I haven’t shared much, I can see it being a spyware issue of someone I’ve shared having spyware on their computer – he has a good point.

“Hi there, I’m the CTO over at Pandora. Saw a link to this post on Twitter. I can tell you with absolute certainty that we never have and never will sell, give away, trade or disseminate in any way our listeners email addresses. We also do routine security audits; your email address absolutely is not available anywhere on public systems.

We do however hear of cases like this a couple of times a year and I’ve worked other places where similar complaints would come in. In my experience the cause is almost always spyware on a machine that at one time received an email from the address in question. For example, if you’ve ever used Pandora to share a station with a friend, or invite someone else to use the service, your pandora email address would be on the email we sent to your friend. If that friend has a machine infected with Spyware it’s likely that your email address made it into some spammers directory. Of course we also send you a welcome email, if there’s spyware on your machine that’s another possibility. The final (and least likely) possibility is a simple dictionary attack — since the email address you’re using is it’s possible that some spammer was just iterating on dictionary words against your mail system.

It’s a terrible situation that we live in an environment where it’s nearly impossible to keep our personal email addressses out of the hands of spammers.

Feel free to write any time, with any concern. Predictably I’m tom-at-pandora.

Picture 3.png

Picture 5.pngCould Pandora be giving out or selling their users’ e-mails? They say they don’t, but I got a disturbing e-mail yesterday that I’m still trying to figure out. When I sign up for services, I usually sign up with the e-mail address, so that I can detect where my spam is coming from. Yesterday, I received a weird piece of spam from “” in what I believe to be French. The subject states, “ des vidéos pour les Expatriés, DRH, Exportateurs… A découvrir”. What caught my attention though, is that it was sent to “”.

There’s only one site I ever gave that e-mail address to, and that’s Pandora. Could Pandora be selling e-mail addresses to spammers? Could there be a leak at Pandora, where my e-mail address somehow accidentally got out to spammers? Or is this just a fluke where some spammer decided to randomly send e-mail to where is all wildcard e-mail addresses they’re aware of? I can’t tell, but it’s troubling – I’ve never had a spammer actually use an e-mail address for a service I actually belong to. This makes me wonder if it actually is an issue at Pandora.

I mentioned this on FriendFeed, and a Pandora rep actually did respond (Does your company track FriendFeed?). Here was the thread:

Me: “wtf??? I’m getting Spam and it’s to my Pandora address. Did Pandora sell my e-mail address? NOT HAPPY”
Pandora Radio: “Hi Jesse – We *definitely* never sell or give away listeners’ email addresses. Feel free to email if you’d like. – Lucia, from Pandora”

I want to believe Pandora. They seem like a pretty ethical company, and have supported some good causes in the past. It makes me wonder however if somehow, some e-mail addresses got out of their system that they weren’t aware of. Perhaps my e-mail address is on a public profile somewhere on Pandora’s website? Has anyone else experienced this, and do you have any ideas how this could be happening? The text of the e-mail can be found here.

Facebook Puts on Its Chain Mail

chain_jpg_2.pngWith all the recent talk of spam and viruses lately it appears Facebook has truly hit mainstream. You know when the spammers have hit there is truly value in a service. Today I noticed a new trend on Facebook, previously only known to the likes of Snail Mail and E-mail itself, the chain letter. It wasn’t in the form of an application or even a bot of some sort as you would expect on the service. Surprisingly, it was hand-written by who-knows-who and had somehow made it around to my wife’s cousin, who sent it to me. Subsequently, several of my other friends seem to have got it, because I received it from a few others as well.

The letter goes like this:

“Subject: ATTENTION ALL FACEBOOK MEMBERS August 20 at 8:13pmReply Attention all Facebook members.Facebook is recently becoming very overpopulated,There have been many members complaining that Facebookis becoming very slow.Record shows that the reason isthat there are too many non-active Facebook membersAnd on the other side too many new Facebook members.We will be sending this messages around to see if theMembers are active or not,If you’re active please sendto 15 other users using Copy+Paste to show that you are activeThose who do not send this message within 2 weeks,The user will be deleted without hesitation to create more space,If Facebook is still overpopulated we kindly ask for donations but until then send this message to all your friends and make sure you sendthis message to show me that your active and not deleted. Founder of FacebookMark Zuckerber”

It is sent via the traditional Facebook mail, which the API has no access. I asked my wife’s cousin if they sent it, and indeed, they actually did forward it to 15 of their friends as the e-mail directs. Therefore it appears this one, amazingly, is being spread, manually, from person to person on Facebook.

Now, I’m probably preaching to the choir here on my blog, as I sincerely hope none of you would fall for this. Typically, anything that says, “forward to x number of your friends” is not for real and you should report it or mark it as spam immediately. “Mark Zuckerber” is not going to know you forwarded it to all your friends, and Facebook is not tracking this mail in anyway. Your account will not be deleted.

This seems to go back to the days of the Microsoft lottery e-mail hoax that basically said if you forward to all (or any number of) your friends, you get entered for the chance to win a million dollars (or similar amount of money). Supposedly in this e-mail Bill Gates was able to track the e-mails you sent and they were using this to track the number of e-mails that went out.

This does beg the question though – how do normal users of Facebook know for 100% clarity that a message comes directly from Facebook, if they ever need to send something to their users? Is there an “official” method for distributing such messages? Thus far I’m only aware of various blogs on the Facebook site to announce this information.

Now, when people compare Mark Zuckerberg to Bill Gates, I’m not quite sure this is the way he wants to be portrayed. In such a controlled environment as Facebook, do messages like this have any excuse?

Have you seen anything similar? Share your stories here. You’ll find me on Facebook at

Secret Crush Worm Resurfaces

book-club-book-worm.pngTechCrunch and several other publications recently blogged about new worms surfacing that target Facebook through various means. Some are sent via e-mail with links to malicious videos, while others link directly to phishing sites that look just like Facebook and take the username and password of those thinking they are logging into Facebook. I’ve noticed the recent come-back of one I blogged about 5 months ago called the “Secret Crush” worm – I’ve received 3 wall posts just today from this, along with one or two from the recently announced phishing worms. I can’t help but wonder if the two are related.

The “Secret Crush” worm seems to log into unsuspecting users’ accounts, send wall posts to their friends, and even some times, as was the case with my Aunt 5 months ago, change the user’s status as well. All posts seem to link back to a blogspot-hosted site that tries to get more information from the user to find out who their “secret crush” is. Google seems to be removing these almost as fast as they are being put up though.

In the case of all the recent worms, it goes without saying that having a strong password is very important – if you have been hit by any of these worms, change your password and notify Facebook, immediately! In addition, the following pointers should help prevent you from being infected:

Make sure your password is strong!

As mentioned, always make sure your password is strong, and don’t use the same password on Facebook and other Social Networks as you do elsewhere on the internet. This will prevent you from having more than just your social identity stolen.

Never, ever, click on links in e-mails, even from Facebook, unless you’re 100% sure where they are going to.

Don’t just look at the web address you see in the e-mail, but rather mouse-over the link and see where your browser says it’s going to go to. Even then, when in doubt, copy the url and paste it into your browser – if your e-mail client supports javascript for some reason it can still deceive you.

Always be sure you’re on the site you’re supposed to be on before you enter your log in information after clicking on a link from an e-mail.

This is how many of these worms get you – they link to a site that looks and feels like Facebook (or other site), but instead have linked you to something like that is collecting your information. Once they have access to that they have access to everything in your Facebook profile.

Make sure you have Spyware and Anti-virus software installed!

Facebook is not immune to Anti-virus software. There is actually a well-known spyware application called “Secret Crush”, and there’s probably a very likely case these two are related. If you are infected with Spyware or a virus there is an easy opportunity for these apps to steal your login information as you log into these sites.

Just as with your PC, it is your responsibility to ensure yourself, your computer, and now with social networks, your friends, are protected from viruses, spam, and spyware. You now have a social responsibility to ensure this doesn’t get spread to your friends on these networks.

Have you been infected? What is it that you think caused the infection? Please share with us in the comments below and on FriendFeed.

The iPhone Needs Privacy Controls

iphone_security.jpgThe iPhone seems to have created a huge security and privacy problem recently that I think many more people should be watching. By launching a developer platform and SDK, Apple has essentially created one of the largest social network platforms in existence, bringing even more powerful and personal data than ever before to the developer. Apple is essentially enabling the developers themselves to create the iPhone social network with almost no power whatsoever given to the iPhone user on how to enable or disable that data.

I became amazingly aware of what a huge issue this is when I, like many other iPhone early adopters, downloaded the Loopt application from the iTunes App Store and signed up for their service over my iPhone. Before I knew it, I had realized I just SMS’d about half of the contacts on my iPhone, including important business contacts and more that I would just rather not have an Application have access to. I couldn’t necessarily SMS them an apology, as that would just add to the issue I had just created. In fact, my Mom, who doesn’t have an SMS plan on her cell phone called me later that day to ask that I not send her SMS text messages to her cell phone, when in reality, I had no idea it was sent to her! Loopt had assumed that it would be okay to allow their users to send their friends SMS messages inviting them to Loopt (in a very ambiguous manner), when after mass complaint, Loopt quickly retracted from their efforts.

I argue this wasn’t Loopt’s fault though. Of course, Loopt does have some responsibility to satisfy their users, but despite having to apply to be in Apple’s directory, there is nothing stopping them from being malicious with the way they are handling the data on your iPhone. I know Loopt had no ill intentions, but this could have been any App out there with ill, or even not-so-ill intentions. Apple has no privacy controls on the iPhone giving the user control over what Applications can and can’t access, and as we’ve seen already, this is coming back to haunt them.

The iPhone has some very powerful features, accessible via the API, that make it an extremely valuable and unprecedented Social Networking tool. I’ll list those here:

Location, Location, Location – the Profile

First of all, the iPhone has access to your location and where you’ve been, which, I argue, is much more valuable information than any other Social Network profile in existence can provide about an individual user. The iPhone makes the people in the “Social Network” real.

The Contact List – your Friends

The iPhone has one of the most realistic contact/friend lists available in existence. The iPhone contact list contains information about people you actually talk to and interact with in real life. It also imports your other contact lists from other locations such as Gmail. No other Social Network in history has that type of completely real information about those you truly interact with on a daily basis.

Multimedia – the big picture

The iPhone has the most up-to-date photos, audio, and other multimedia in existence. Think about it — every social network you belong to currently probably has photos that originated from your iPhone or other camera. They are on your iPhone before they are on the Social Network. The iPhone also has real-time listening habits of users, along with your mail, your internet history, your stocks, the weather in your location — I could keep going on and on!

As you can see, the iPhone provides an extremely rich set of data integration points which any Application can take right now, and use as they please, and the user has absolutely no control over it (minus one prompt if the application is trying to get your location data). This is actually quite scary if you think about it!

Apple really needs to take a lesson from Facebook on this. One of my favorite features of Facebook is the fact that I can click on a single link and control all the information I save on Facebook right then and there. As a user, I can feel comfortable that no application I install will share my information in any way I don’t want Facebook to share it. Facebook takes pride in this, and it has even caused them problems as they have tried to fight this with the likes of Google’s FriendConnect to protect this data and keep it in the hands of their users if the users do not want it shared.

Never in history has there been such a phenomena as the iPhone SDK being opened. It’s brand new, and it’s unprecedented, so issues and flaws are to be expected. I only hope that Apple can, in the end, respect their users’ privacy and place a little more control over what data the Apps you install are allowed to access. Doesn’t this concern you?